Set up router
8 July 21 - 3 August 2023
DdeC

How to set up a Mikrotik box

Written after setting up RB2011, CRS109 and RB3011 with RouterOS version 6

========================

Accessing the device.

For protection from the internet during setup, most of this can be done without connecting the device's WAN port (probably ether1) to the internet, although the default configuration does include IPv4 firewall rules.

You may be able to access the device with known credentials or just use 'admin' with a blank password. Otherwise you need to reset the configuration.
 
To perform the reset, connect the power then immediately press the reset button for a few seconds until the green LED starts to flash.

The default configuration has wifi inactive. For ethernet, different Mikrotik devices have different defaults after reset (see ref. 4), but one standard it to have the first ethernet port set up for WAN, and you are recommended to connect to eth2, which is set to 192.168.88.1, by connecting directly from a computer set to receive an address by DHCP (or with a fixed address in the 192.168.88.0 subnet).

(further detail) It seems you can't connect to a freshly-set device through a router, connected either to eth1 on the device, issuing an address by DHCP, or connected to a LAN port, on a 192.168.88.0 LAN. But once you have connected, disabling the IPv4 default configuration firewall 'drop' 'all not coming from LAN' rule on the input chain (while Quick Set>Internet Address Acquisition is still on 'Automatic') allows access through a router to eth1, which may be useful for setting up the device. Activating wifi on an equipped device also allows access.


Setting up the device. 

Setup can be done in various ways; using a RouterOS 'rsc' configuration file, by the command line by SSH or in the Terminal, or with the separate Winbox program. Here the use Webfig, a console reachable from a browser, is described. Go to 192.168.88.1 and login as 'admin' with the password blank.  

Mikrotik suggests an extra step to make sure the firmware is completely reset (ref. 5, under 'Router without Default Configuration'). In Webfig, in the left menubar go to 'System' then 'Reset Configuration', select 'No Default Configuration' and 'Do Not Backup' then presss 'Reset Configuration'. This may be useful to remove all traces of previous configurations. Now you need to access the device again. 

If a suitable 'resource' config. file for the device (or even a 'backup' file from the same or an identical machine) is available load that ('import'), otherwise here are steps to set up the Routerboard from scratch. 

The 'Quick Set' panel can be used for basic settings.
At the top right a pulldown menu gives a list of setup types exposing more or fewer controls. In the 'System' area, give the device a name ('Router Identity') and a password. If the device has wifi you can also set the SSID ('Network Name') and wifi password (once a 'Country' is assigned and the Configuration applied, you can connect by wifi). 

Still in 'Quick Set', under 'Configuration' choose whether the device is going to be a router (can pass traffic upstream to another network) or a switch (exchange of packets among peers), or sometimes other roles. If 'Router' is chosen, under 'Internet' you can set the type of upstream connection according to your arrangements with an ISP, although this may need refining later: 'Static' (fixed IP addresses), 'Automatic' (DHCP client to get addresses from upstream), or 'PPPoE' (a protocol for authentification with upstream). Under 'Local Network' you can set the address of a prebuilt bridge over the device's LAN ports. Apply the configuration.
 

Security.

Good to get right, especially if the box will be connected directly to the internet. i.e. at the edge of your network. See ref. 1 below.

- System>Users; make new user and pwd with full rights. Restrict access to 'Allowed Addresses'. Disable 'admin' access.   

- in IP>Firewall (and optionally in IPv6>Firewall),set up firewalls
  Be careful not to lock yourself out when changing firewall rules; best activate "Safe Mode" by pressing the button before making the change: if all goes well, after a while de-activate Safe Mode (if you are locked out, log in again as the change won't have been saved). 
  See Refs 1 & 3 and elsewhere for IPv4 and v6 firewalls. 
  As the firewall default is to allow all that is not forbidden, you might want to write a final rule for each chain that drops all that gets through to there. Until you are satisfied you are not blocking anything you want to let through (such as your connection from a local machine!), you might want to add a temporary rule just before, to accept all packets and make log entries, which you can check. 

- in IP>Services, 
  Disable unused services (e.g. api, api-ssl, www-ssl, ftp and telnet). 
  Set the services you plan to make available (eg. ssh, www, winbox) to be 'Available From' only the addresses or subnets you choose (e.g. from specific hosts or from any RFC1918 address etc). Remember that if you restrict access here and under System>Users>Allowed Address, both need to have an address allowed for access to this device to be available.
  If you like, change the access ports e.g. for SSH, to a random high port number, and make a note of it somewhere! 

- in System>Packages
  Inactivate unused packages, eg Hotspot, MPLS (MultiProtocol Label Switching), depending on the RouterBOARD in use, e.g. you may not need wireless
  Enable IPv6.

- in IP>Neighbors
  Only interesting if more than 1 router locally, in which case set Discovery Interface 
  List to 'LAN' or 'WAN' as appropriate. Otherwise inactivate with Discovery Interface List, none.

- in IP>DNS
  Set some (upstream) Servers if not poplulated
  Disable 'Allow remote requests' unless this will be a DNS cache for 'remote' devices.
  (in which case see note 2 below)

- in IP>UPnP
  Disable

- in Tools>MAC Server
  MAC telnet server (only between MT devices), none. MAC ping, disabled.
  MAC Winbox probably only from LAN.

- in Tools>BTest Test server (for tests of bandwidth between MT routers) 
  Disable unless planning to use.


Update.

Once you are happy with the security you can plug in the WAN cable and check for updates.

- firmware at System>Packages>Check for updates. Prefer 'stable'. Will reboot at the end of upgrade. Then System>Packages>Check Installation.

- boot software (RouterBOOT loader) at System>RouterBOARD>upgrade (then reboot)


System settings.

- at System>Clock set the time and enter your Time Zone or check Autodetect. 
  The manual settings are not necessary.
  At System>SNTP client set the server(s) for network time.  
	(for memory, I use 161.65.172.9 from the NZ Measurement Standards Laboratory)
  Time from internet is also provided from IP>Cloud (by Mikrotik) but less often.

Subnets on ethernet interfaces.

- set up subnets with bridged ports as desired. See other document 'Bridge ports together.txt'.
	Bridges need entries in IP>DHCP Server>DHCP and IP>DHCP Server>Networks. Entries in IP>DHCP Server>Leases will autopopulate as hosts on the LAN request IPv4 addresses by DHCP. 
	Can include mention of them as part of LAN in Interface>Interface List

Access Internet:

- access Internet from LAN devices by setting rule in IP>Firewall>NAT or by commandline in Terminal if not already present:
'/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade'. Check security e.g. at 'Shields Up'.

Other and optional steps:

Email:
- Could set up for email reporting in Tools>Email.
 
Scripts:
- Scripts can be composed in/added to System>Scripts and scheduled at System>Scheduler.

Static addresses:
- Could set static addresses for local devices in DHCP pool at IP>DHCP Server>Leases>'Make static'.

Watchdog:
- In System>Watchdog, set to email if automatic restart after hang.

Jumper reset:
- Check enabled in System>RouterBOARD>Settings (in case machine hangs completely). 

Use SSL to log in to machine (works but still get warnings in some browsers as not completely compliant https):
- Set up self-signed certificate (System>Certificates; add new, common-name="certificate name" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server,key-cert-sign,crl-sign. Then Apply and Sign) then in System>Services enable www-ssl, select the new certificate and when it's working can inactivate www and login by https. 


-----------------------

References.

1. Securing your router (Mikrotik): wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
2. DNS cache is always available to router: 'Allow remote requests' concerns DNS queries from other hosts, both LAN and WAN. So, if you allow this, block incoming to port 53 from internet, with entries for both TCP and UDP, check firewall allows LAN queries on 53 as input, and check some upstream servers are listed in IP>DNS. 
3. Default rules by rextended: https://forum.mikrotik.com/viewtopic.php?f=13&t=175129&p=856824#p856824
4. Default Configurations: https://help.mikrotik.com/docs/display/ROS/Default%20configurations
5. Mikrotik "First time configuration": https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration